@CriticalErrorMaybe you can provide a zip containing the whole ollydbg folder already setup and with all the necessary plugins and modifications so that the users can just unzip and use it without looking for dead links and editing stuff.

done mate, here is the ollydbg folder I use before I think all is there but maybe not xD long time ago doing it and leave it so well it still there and hope it works.

BUMP - just want to know if anybody has successfully used against any Themida 2.4 target.

TetraMan wrote:

Has anybody used this method against Themida 2.4?

I successfully unpacked an app protected by earlier Themida.

Now I am attempting unpacking of app protected by Themida 2.4

Some of the script popups are not appearing as expected (specifically, the very first popup during the first run - it does not appear... the application simply continues to run as normal), however, the script does produce a dump (unpacked) executable.

Upon running the unpacked version, however, it crashes with "... instruction at... referenced memory... The memory could not be read."

If anybody has successfully unpacked an app protected by Themida 2.4, did you use this method? Did the process go as outlined in the instructions? Did you do anything differently?

What version of Themida is your target protected by?If it is Themida v2.4 or later, I have found these techniques may not work.

I have successfully used these techniques on targets protected by Themida v2.3 and earlier. However, my latest target is protected by Themida v2.4 and these techniques do not seem to work properly. The unpacked application throws errors. Also, the normal screens/windows did not appear during the unpacking process.

While this "How Unpack Themida 2.x.x" approach does not seem to work with targets protected by Themida > v2.4, you should find the process will work for you in unpacking your older target.

You will need the tools listed in earlier posts, eg: Olly and others. I use VMware workstation to host a clean installation of Windows XP (32bit). I am certain you can find both of those things available on the web. You can then easily follow the excellent instructions in earlier posts to this thread and unpack your target!

Hi guys. I have the same issue as a previous poster, and I didn't see it answered, so I'll ask for us both again.

I'm using a 32-bit Windows 7 VM. (ESXi). I have Olly 1.10, and all the plug-ins. I have my ollydbg.ini configured correctly, and I get to the step right after "Disable Noppers" and my target pops up a message box.

In the script window, I see this:

Code:

If WL doesen't use a MessageBoxExA API to show you the HWID Nag or other messages then it used a custom code.In this case just pause the script if you see the message then pause Olly open call stack and set a soft BP from where it was called from = after message loop.Now remove BP again and set the script eip on the label......

CUSTOM_HWID_NO_MESSAGEBOX_SET_SCRIPT_EP_HERE

and then just resume the script. ;)

This is good advice, but seems to be missing a key component.

I pause the script, then pause olly, ALT-K to bring up the call stack, find the correct place, set the BP. Then what?

Set itUnset itadjust the script EIP to the CUSTOM_HWID_ label, and resume?

@supervirus5I guess you are a newbie in this field, so:1) you do NOT need that file, read viewtopic.php?p=18090#p180902) new to reverse engineering and advanced tools? welcome to false positives!3) CriticalError is a well respected and trusted user4) don't worry, it's not your fault, as I said that's normal if you are new to this stuff. Enjoy reverse engineering and learn

I don't know if I can ask here, but I tried this method on some unmaintained software that can't run on Win10 because of Winlicense ("internal exception occured (Address: 0x0)"). The script returned an .exe that looks like it's unpacked, but it won't run (exception 0xc0000005), so maybe I didn't unpack everything.

I used this script many times succesfully ... now on this target I get a message "An internal exception occurred .... Please, contact support@o*****.com. Thank you!". It pop out after the Log Window says "IAT WAS MANUALLY PATCHED!" and an Hardware BP was handled and 2 more modules loaded.

Please stop make post about errors, read carefully all thread, I won't give support for unpack it, i'm not a programmer and I do it few times and lucky no get errors, depend versions of themida you get different errors and need be fixed, the script won't do all, for run it you need make modifications for make it work exe,dll, so please stop bump topic asking for help, I can't do it, thanks for all and hope understand.

Thanks for your step by step tutorial .I have A few exe files packed by winlicence.

but unfortunately i can go until step 10 and in that step i have an error message : Problem!WL section not in stack to read - wrong irtualAlloc Call From! and cant go further.you can check my exe file here :https://mega.nz/#F!jI0xxSAI!Su9WvMCDCINUuF5RslbmHg

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot post attachments in this forum